Publicly known “magic string” lets any site run malicious code, no questions asked.

The popular Google Project Zero researcher Tavis Ormandy has discovered a critical code execution vulnerability in the Cisco WebEx browser extension. The flaw has a significant impact considering that the WebEx extension for Google Chrome has roughly 20 million active users.

The expert discovered that an attacker can trigger the vulnerability by using any URL that contains a “magic” pattern. The flaw could be exploited to remotely execute arbitrary code on the targeted WebEx user’s system by tricking victims into visiting a specially crafted website.

Cisco tried to fix the issue limiting the magic URL to https://*.webex.com and https://*.webex.com.cndomains but the Google researcher highlighted the it could still be exploited due to a potential cross-site scripting (XSS) flaw on webex.com.

“The extension works on any URL that contains the magic pattern “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html”, which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.” states the advisory published by Ormandy. read more

The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it’s trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google’s Project Zero security disclosure service.

Martijn Grooten, a security researcher for Virus Bulletin, told Ars:

If someone with malicious intentions (Tavis, as per Google’s policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!

All that’s required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL. That’s a “magic” pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed. Ormandy discovered that any visited website can invoke the command not just to begin a WebEx session, but to execute any code or command of the attacker’s choice. To make the exploit more stealthy, the string can be loaded into an HTML-based iframe tag, preventing the visitor from ever seeing it.

While Monday’s patch came a commendable two days after Ormandy privately reported the vulnerability, the researcher warned the patch may not adequately secure the Chrome extension from all types of code-execution exploits. That’s because the update still allows Cisco’s webex.com website to invoke the magic pattern with no warning. Should the site ever experience a cross-site scripting vulnerability—a vexingly common type of Web application bug that lets attackers inject scripts into Web pages—it might be possible to use it to once again to exploit the WebEx extension flaw.

Some critics also faulted the fix for providing a less-than-clear warning message when WebEx-enabled browsers visit sites that load the magic string. The warning reads: “WebEx meeting launcher needs to launch a WebEx meeting on this site. WebEx meeting client will be launched if you accept this request.” The message then gives users the option of clicking Cancel or OK.

“This is a social engineering nightmare,” Filippo Valsorda, a security researcher at content delivery network CloudFlare, told Ars. He provided this guide for protecting against the vulnerability. read more